Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
News
Regulation, Standards and Compliance
System Design & Architecture

Global security agencies release recommendations for software manufacturers, customers

April 14, 2023
Global security agencies release recommendations for software manufacturers, customers

The U.S. security agencies along with cybersecurity authorities of Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand (CERT NZ, NCSC-NZ) published Thursday joint guidance that provides recommendations to manufacturers for developing a written roadmap to implement and deliver security in their product design and development processes. The authoring agencies recommend software manufacturers implement the strategies outlined in the sections below to take ownership of the security outcomes of their customers through secure-by-design and secure-by-default principles. 

The authoring agencies also recommend that organizations hold their supplying technology manufacturers accountable for the security outcomes of their products, according to the guidance. “As part of this, the authoring agencies recommend that organizational executives prioritize the importance of purchasing secure-by-design and secure-by-default products. This can manifest through establishing policies requiring that IT departments assess the security of manufacturer software before it is purchased, as well as empowering IT departments to push back if necessary,” it added.

Technology manufacturers are encouraged to adopt a strategic focus that prioritizes software security, the guidance outlined. The authoring agencies developed three core principles to guide software manufacturers in building software security into their design processes prior to developing, configuring, and shipping their products.

The principles identify that the burden of security should not fall solely on the customer. They must also embrace radical transparency and accountability, and build organizational structure and leadership to achieve these goals. The guidance said that software manufacturers should take ownership of the security outcomes of their customer’s purchases and evolve their products accordingly. They must also embrace radical transparency and accountability while delivering safe and secure products, and differentiating themselves from the rest of the manufacturer community based on their ability to do so. 

The guidance outlines that this may include sharing information they learn from their customer deployments, such as the uptake of strong authentication mechanisms by default. It also includes a strong commitment to ensuring vulnerability advisories and associated common vulnerability and exposure (CVE) records are complete and accurate. “However, beware of the temptation to count CVEs as a negative metric, since such numbers are also a sign of a healthy code analysis and testing community,” it added. 

The guidance said that while technical subject matter expertise is critical to product security, senior executives are the primary decision-makers for implementing change in an organization. 

Executive-level commitment for software manufacturers to prioritize security as a critical element of product development requires the development of partnerships with an organization’s customers to understand:

  1. The product deployment scenario guidance along with a tailored threat model
  2. Proposed implementation for security controls to align with secure-by-default principles
  3. Resource allocation strategies tailored to company size and the ability to replace legacy development practices with secure-by-design practices
  4. The need to maintain an open line of communication for feedback internally and externally regarding product security issues. Software security should be emphasized in internal forums, as well as external product marketing and customer engagement
  5. Measurements of effectiveness within customer deployments. Senior executive leaders will want to know where investments in security by design and default are helping customers by slowing the pace of security patches, reducing configuration errors, and minimizing the attack surface.

To enable these three principles, manufacturers should consider several operational tactics to evolve their development processes. These include convening routine meetings with company executive leadership to drive the importance of secure-by-design and secure-by-default within the organization. Policies and procedures should be established to reward production teams that develop products adhering to these principles, which could include awards for implementing outstanding software security practices or incentives for job ladders and promotion criteria.

They must also operate around the importance of software security to business success. For example, consider assigning a ‘software security leader’ or a ‘software security team’ that upholds business and IT practices to directly link software security standards and manufacturer accountability. Manufacturers should ensure they have robust, independent product security assessment and evaluation programs for their products.

Lastly, the guidance suggests using a tailored threat model during development to prioritize the most critical and high-impact products. Threat models consider a product’s specific use case and enable development teams to fortify products. Finally, senior leadership should hold teams accountable for delivering secure products as a key element of product excellence and quality. 

The global security coalition also recommends that organizations hold their supplying technology manufacturers accountable for the security outcomes of their products. As part of this, the authoring agencies recommend that organizational executives prioritize the importance of purchasing secure-by-design and secure-by-default products. This can manifest through establishing policies requiring that IT departments assess the security of manufacturer software before it is purchased, as well as empowering IT departments to push back if necessary. 

“IT departments should be empowered to develop purchasing criteria that emphasize the importance of Secure-by-Design and Secure-by-Default practices,” the guidance said. “Furthermore, IT departments should be supported by executive management when enforcing these criteria in purchasing decisions. Organizational decisions to accept the risks associated with specific technology products should be formally documented, approved by a senior business executive, and regularly presented to the Board of Directors.”

It also added that key enterprise IT services that support the organization’s security posture, such as the enterprise network, enterprise identity and access management, and security operations and response capabilities, should be seen as critical business functions that are funded to align with their importance to the organization’s mission success. Organizations should develop a plan to upgrade these capabilities to leverage manufacturers that embrace secure-by-design and secure-by-default practices.

Security should be a critical element of such relationships and organizations should strive to reinforce the importance of secure-by-design and secure-by-default practices in both the formal and informal dimensions of the relationship. 

“Organizations should expect transparency from their technology suppliers about their internal control posture as well as their roadmap towards adopting Secure-by-Design and Secure-by-Default practices,” according to the guidance. “In addition to making Secure-by-Default a priority within an organization, IT leaders should collaborate with their industry peers to understand which products and services best embody these design principles. These leaders should coordinate their requests to help manufacturers prioritize their upcoming security initiatives. By working together, customers can help provide meaningful input to manufacturers and create incentives for them to prioritize security,” it added. 

The guidance also addressed that the two principles – secure-by-design and secure-by-default – move much of the burden of staying secure to manufacturers and reduce the chances that customers will fall victim to security incidents resulting from misconfigurations, insufficiently fast patching, or many other common issues. Apart from specific technical recommendations, the guidance outlines several core principles to guide software manufacturers in building software security into their design processes before developing, configuring, and shipping their products.

Commenting on the guidance release, Duncan Greatwood, CEO at zero trust security firm Xage Security said that “we welcome this additional push to see core security capabilities like MFA enabled for every element of an operating environment – whether that environment is a consumer’s home, or critical national energy infrastructure, or something in between.”

“With our focus on critical operations, we’d note that many of these core security capabilities are still not fully implemented even in the most sensitive situations such as energy or transport infrastructure,” according to Greatwood.  “In some cases, in those complex operating environments, it is necessary to overlay existing systems with newer cybersecurity mechanisms, since a “rip and replace” of existing systems may be impractical. Even so, this push by CISA to introduce effective cyber defenses for individual consumer and small business products should be another wake-up call for infrastructure operators. After all, it would be ironic if the cyber attack prevention for devices in a typical home came to be stronger than those blocking attacks against critical infrastructure.”

Additionally, the direction of these new CISA principles pushes cybersecurity further in the direction of identity-based (aka ‘zero trust’) preventative cyber,  Greatwood points out. “The CISA principles are intended to improve the protection of each individual device, even in the event that attackers are able to compromise the user’s network – which is a core tenet of zero trust. It is also necessary to protect the system as a whole, not only individual elements, meaning protection needs to be end-to-end, especially in the more complex environments,” he added.

Earlier this week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an update to the Zero Trust Maturity Model (ZTMM), providing agencies a roadmap to reference as they transition towards zero-trust architecture, superseding the initial version released in September 2021. The objective of the update is to facilitate the distribution of the ZTMM version 2.0 and educate federal civilian agencies on the updated ZTMM and its application to their zero-trust implementations.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation